This is the third in a series of blog posts related to our recently concluded study of the published vulnerabilities associated with Kubernetes and Docker. If you missed part 2, you may want to read it so you can better appreciate the difficulties involved in identifying relevant vulnerabilities and better understand how we grouped the vulnerabilities we found. For our discussion below, we refer to the relevant / partly relevant vulnerability groups as the platform name abbreviation, K8s or Dock, and to the configuration/distribution-related vulnerability groups as K8s Dist or Dock Cfg.
In the charts and discussion below, we consider what effect, if any, was noted relating to the COVID-19 time period. If you are familiar with the CYR3CON concept of CyRating, feel free to skip the next paragraph.
As described in an earlier technical paper, CYR3CON uses CyRating – a risk measurement that reflects the current real-world threat to vulnerabilities – to predict vulnerabilities at real-world risk of exploitation. CyRating scores scale from 1.00 to 38.46 where a vulnerability with a CyRating of 10.00 is 10x more likely to be exploited than a vulnerability with a CyRating of 1.00. As the relative likelihood that a vulnerability will be exploited by hackers, CyRating calculations are driven by threat intelligence obtained from various sources such as hacker-community data collected from the darkweb, deepweb, social media, and other open sources.
Below is a chart that tracks CVEs from all four groups of vulnerabilities we have been looking at and indicates by a simple count the number that had a CyRating of 25 or higher in any month during all of 2019 and 2020. This level of CyRating indicates significant hacker interest and a high level of real-world threat. It is interesting (and telling) to note that shortly after a large portion of the world went into lock-down due to the COVID-19 pandemic, there was a spike in the real-world threat to Docker and Kubernetes-related vulnerabilities. With much of the digital workforce working remotely, presumably interest in cloud-native development spiked and hacker interest spiked right along with it.
Contrasting the above bump chart with the two below, we see that over the past two years hacker interest in Kubernetes has been steadily growing in a general way (CyRating >= 2) while an “echo” bump appeared in summer 2020 (CyRating >= 5) possibly indicating a dilution of the spring interest in Kubernetes/Docker among other similar CVEs.
CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn how we have become the most accurate, peer-reviewed, predictor of weaponized exploits.
ATT&CK and Vulnerability Management Part 5: Disrupting Attack Sequences through Vulnerability Management
Docker/Kubernetes Part 6: Common Weakness Enumeration (CWE)
ATT&CK and Vulnerability Management Part 4: Using Intelligence to Generate Attack Sequences
ATT&CK and Vulnerability Management Part 3: Considerations in Aligning CVEs and ATT&CK Techniques